Chip and PIN Point-of-Sale Interceptor Prototype

Via University of Cambridge - Computer Laboratory (Mike Bond) -

Our "Chip and PIN" Point-of-Sale Interceptor has attracted some attention in the German media recently, since TV coverage on ARD TV's Plusminus, by Sabina Wolf, and a corresponding press release from Westdeutscher Rundfunk. This page briefly explains the principle of the interceptor, and what it achieves. Our interceptor is a prototype device which sits between a Point-of-Sale (POS) terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – "the conversation" – between the chip card and the terminal, and from this can retrieve and store the customer's account number. In the case of the cheaper "Static Data Authentication" (SDA) Chip and PIN cards, which are used by most UK banks, it can also store the customer's entered PIN, when it is sent from the terminal to the card, just after the customer types it in.

Such a device could be miniaturised and concealed as part of one of the roughly 450 000 POS terminals in the UK. It could silently record account details and PINs of all customers using it, unknown to them, and possibly unknown to the shop owner. Such account details and PINs could be used to make counterfeit magnetic stripe cards which could be used in foreign countries which do not have Chip and PIN, or in Chip and PIN countries where the magnetic stripe "fallback" system works side by side with the chip system. In the UK magnetic stripe fallback is possible at some but not all cash machines; also some UK cash machines have not even been upgraded to read chips at all.